-----Original Message-----
This PC is running XP home, and every 15 to 30 minutes it
resets itself posting a pop up window that says and error
occured in the windows\system32\lsass.exe file and the
number -1073741819. I did an update to nurtons and it
still dosen't fine any virus. please...... any help would
be apreciated.
Clancey
sounds that you've been infected by sasser worm.....
Find the article about this in microsoft web site, and
don't forget to download the patch...
-below some information from an antivirus software vendor-
When W32.Sasser.E.Worm runs, it does the following:
Attempts to create a mutex named SkynetNotice and exits if
the attempt fails. This ensures that no more than one
instance of the worm can run on a computer at any time.
Copies itself as %Windir%\lsasss.exe.
Note: %Windir% is a variable. The worm locates the Windows
installation folder (by default, this is C:\Windows or C:
\Winnt) and copies itself to that location.
Adds the value:
"lsasss.exe"="%Windir%\lsasss.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
so that the worm runs when you start Windows.
Deletes the values:
"ssgrate.exe"
"drvsys.exe"
"Drvddll_exe"
from the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
Note: The deleted values are known to be installed by
Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
Uses the AbortSystemShutdown API to hinder the attempts to
shut down or restart the computer. The worm calls this API
every second during the first two hours it runs. Then, it
displays the message with the following text:
1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the
Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS
patch from the
www.microsoft.com website
4. This is an message from the SkyNet Team for malicious
activity prevention
Starts an FTP server on TCP port 1023. This server is used
to spread the worm to other hosts.
Retrieves the IP addresses of the infected computer, using
the Windows API, gethostbyname.
Note: The worm will ignore any of the following IP
addresses:
127.0.0.1
10.x.x.x
172.16.x.x - 172.31.x.x (inclusive)
192.168.x.x
169.254.x.x
Generates another IP address, based on one of the IP
addresses retrieved from the infected computer.
25% of the time, the last two octets of the IP address are
changed to random numbers. For example, if A.B.C.D is the
IP address retrieved in step 7, C and D will be random.
23% of the time, the last three octets of the IP address
are changed to random numbers. For example, if A.B.C.D is
the IP address retrieved in step 7, B, C, and D will be
random.
52% of the time, the IP address is completely random.
Notes:
Because the worm creates a completely random addresses 52%
of the time, any IP address can be infected, including
those ignored in step 7.
This process is made up of 128 threads, which demands a lot
of CPU time. As a result, an infected computer may become
so slow and barely usable.
Connects to the generated IP address on TCP port 445 to
determine if a remote computer is online.
If a connection is made to a remote computer, the worm will
send shell code to it, which may cause it to open a remote
shell on TCP port 1022.
Uses the shell on the remote computer to connect back to
the infected computer's FTP server, running on TCP port
1023, and retrieve a copy of the worm. This copy will have
a name consisting of four or five digits, followed by
_upload.exe. For example, 74354_upload.exe.
The Lsass.exe process will crash after the worm exploits
the Windows LSASS vulnerability. Windows will display the
alert and shut down the computer in one minute.
Creates a file at C:\ftplog.txt that contains the IP
address of the computer that the worm most recently
attempted to infect, as well as the number of infected
computers.
